KR20090109702A - Method and apparatus for protecting input data of usb devices - Google Patents

Abstract

PURPOSE: A method for protecting input data of a USB device and an apparatus thereof are provided to overcome the essential weakness of a hooking method. CONSTITUTION: A method for protecting input data of a USB device comprises the following steps of: generating and transmitting an input/output request packet(IRP) in a USB input data protective mode in a filter driver(105) to an IRP queue(400) of a lower USB bus driver; calling a cancellation routine for the IRP in the filter driver; and completing the data input and conversion of status information by generating a random key in the cancellation routine of the USB bus driver.

Description

METHOD AND APPARATUS FOR PROTECTING INPUT DATA OF USB DEVICES}

The present invention relates to a computer security system, and in particular to any random on the USB device stack for data security input from all USB devices, including a USB keyboard communicated through a Universal Serial Port (USB) port. The present invention relates to a method and apparatus for input data security of a USB device capable of extracting only data input by a user by generating data and mixing the same with data input by a user.

In recent years, as financial transactions such as banking or securities operations over the Internet, and communication of data including e-mails or confidential information have increased, others have been using malicious vulnerabilities of internet communication security. For personal purposes, there are frequent cases of extracting personal information or secret information.

Such information leakage is made through various spyware or hacking programs, and most of them are obtained through an input device such as a keyboard and separately obtained in the middle, and then an e-mail address or a website promised. This is done by sending the data to a web site address.

1 is a diagram illustrating a driver hierarchy for conventional USB device data.

Referring to FIG. 1, a filter driver 104 is installed in a client driver 112 layer for driving a USB keyboard to control / protect an input / output of a USB keyboard device as an example of a conventional USB device. It was common to implement keyboard security either by hooking or hooking.

That is, the data (key value) registered by the low filter in the HID (Human Interface Device) USB driver 106 is uploaded to the application.

However, the client driver 112 level filter method has a disadvantage in that data may be lost by a packet analysis tool or a key logger operating in a lower region than the client driver 112 layer.

As such, in recent years, as malicious codes operate in a lower area than the client driver 112 layer, malicious codes that operate lower than the client driver 112 layer also in security for USB devices. In order to cope with this, a program for protecting input / output data of USB devices has been developed through a technique of hooking a completion routine of a hub driver 102 or a USB bus driver 100.

In the input data security method of a USB device according to the prior art operating as described above, the technique of hooking the hub driver 102 or the USB bus driver 100, which is a lower layer than the client driver 112 layer, includes these techniques. Although it can be effective to cope with malicious codes operating in the area, it is a system in the process of restoring a crash issue caused by multiple companies' security products hooking the same layer and a function hooked when unloading. There have been frequent cases of system crash, and there are also many problems that have to be solved.

In addition, there is a problem that it is difficult to more stably protect data of USB devices from increasingly sophisticated malicious code by simply hooking the lower layer hub driver 102 or the USB bus driver 100 as described above. .

Accordingly, the present invention provides a method and apparatus for input data security of a USB device capable of performing security on data input from devices connected in a USB manner on a digital device such as a computer.

In addition, the present invention, for the security of data input from all USB devices including a USB keyboard on a digital device such as a computer to generate random data on the USB bus driver in the kernel area to mix with the data entered by the user, Thereafter, the present invention provides a method and device for input data security of a USB device capable of extracting only data input by a user by filtering random keys from user input data mixed with random data on a filter driver in a user area.

In addition, the present invention, if the cancellation routine for the IRP delivered from the filter driver in the USB bus driver for the security of data input from all the USB devices, including the USB keyboard, input any input / output random key After inputting in the I / O Request Packet (hereinafter referred to as "IRP"), the state change is performed to mix with the IRP including the keyboard input data, and then the IRP including the random key is filtered on the filter driver. Provided are a method and an apparatus for securing input data of a USB device capable of extracting only data input by a user.

According to an embodiment of the present invention, (a) in the filter driver, in the USB input data protection mode, generating an input / output request packet (IRP) and transferring it to a lower USB bus driver; and (b) the IRP in the filter driver. (C) generating a random key from the cancellation routine of the USB bus driver to complete data input and conversion of status information to the IRP, and delivering the completed IRP to the filter driver. And (d) extracting only actual keyboard input data by examining the IRPs delivered from the filter driver.

In an embodiment of the present invention, in the USB input data protection mode, after generating an input / output request packet (IRP) and delivering it to a lower driver stage, canceling the IRP, and receiving the completed IRP from the lower driver stage. In response to this, a random key is discarded and a filter driver for encrypting the actual input data is transmitted to the application, and the IRP is received from the filter driver, and a random key is generated when a cancellation routine is called. And a USB bus driver for inputting the IRP and converting the IRP state information to transfer the completed IRP to the filter driver.

In the present invention, the effects obtained by the representative ones of the disclosed inventions will be briefly described as follows.

The present invention, in protecting input data of a USB device such as a USB keyboard on a digital device such as a computer, by using a random key generation method at the USB bus driver stage, can overcome the fundamental weakness of the conventional hooking method. It also protects the input data of USB devices more securely than existing keys or keyboard security technology.

Hereinafter, the operating principle of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, when it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. Terms to be described later are terms defined in consideration of functions in the present invention, and may be changed according to intentions or customs of users or operators. Therefore, the definition should be made based on the contents throughout the specification.

The present invention generates a random random key on the USB bus driver and mixes it with the data input by the user in order to secure data input from all USB devices including a USB keyboard on a digital device such as a computer. It extracts only the data input by the user by filtering the random key from the user input data mixed with the random keys on the driver.

That is, when the cancellation routine for the IRP transmitted from the filter driver is called by the USB bus driver, after entering a random random key into the input IRP, the state change is performed to mix with the IRP including the keyboard input data. After that, the filter driver extracts only the data input by the user by filtering the IRP including the random key.

Meanwhile, in the following description of the present invention, a method of securing input data for a USB keyboard among USB devices connected to a digital device such as a computing system and a USB port will be described. However, a USB mouse, a USB joystick, It will be apparent to those skilled in the art that the same applies to various USB devices such as a USB numeric keypad.

FIG. 2 is a diagram illustrating a driver hierarchy structure for USB device data security according to an exemplary embodiment of the present invention. In particular, FIG. 2 illustrates a driver hierarchy structure in which input data is generated and processed by a USB keyboard among USB devices.

Referring to FIG. 2, the driver hierarchy for the USB keyboard connection may include a keyboard class driver 110, a keyboard HID driver 108, and a HID, which are upper application layer 210 and client driver 112 layers. A USB driver 106, a filter driver 104, and the like, and data input from the USB keyboard 200 includes the USB bus driver 100, the USB hub driver 102, the HID USB driver 106, and the like. The keyboard is transmitted to the upper application layer 210 via the keyboard HID driver 108 and the keyboard class driver 110.

Hereinafter, an apparatus for processing USB keyboard input data and an operation in each driver layer will be described in detail. First, the root hub 202 includes a port for physically connecting the USB keyboard 200 and is connected to the USB host controller 204. The USB host controller 204 is connected to a host PC via a PCI bus.

The client driver 112, the keyboard class driver 110, the keyboard HID driver 108, and the HID USB driver 106 are three drivers provided by the computer operating system that are necessary for the USB keyboard to operate. Data input from the USB keyboard 200 is transferred to the upper application layer 210 to recognize the keyboard input.

The filter driver 104 is implemented in the client driver 112 layer, and generally includes a USB keyboard, a USB mouse, a USB storage device, etc. according to the USB device in the IRP generated for transferring the USB device data from the application layer 210. Change the IRP format to recognize that the data is from.

However, since the field used by the operating system and the driver is fixed in the format of the IRP generated by the operating system after being received by the application layer 210 and transmitted to the filter driver 104, other parts besides keyboard data input may be modified. none. By registering the IRP generation module capable of generating IRP as a filter driver, the IRP coming down from the application layer 210 is temporarily stored, and the self-generated IRP is transferred to the USB bus driver.

At this time, the IRP and the random key including the basic keyboard input data among the IRPs transmitted from the USB bus driver through inspection can be indicated by allowing the generated IRP to indicate that the IRP includes fake input data. It may be possible to distinguish between the IRP included.

The root hub 202 is connected to a plurality of USB devices including a USB keyboard 200, a USB mouse, and a USB storage device, and applies data input / output from the USB device to the host controller 204. The USB bus driver 100 is connected to the host controller 204 through a PCI bus to transfer data input from a plurality of USB devices to the application layer 210 by loading them on the IRP transmitted from the application layer 210.

Figure 3 is a detailed internal configuration of the USB bus driver according to an embodiment of the present invention, the USB bus driver 100 is a miniport driver (302, 304, 306), USB bus class driver 300 It includes.

In general, two host controllers exist for connecting a USB device from a computer to a USB host controller interface (UHCI) and an open host controller interface (OHCI). The drivers controlling them are uhci type, ohci type, and enhanced host controller interface (ehci). There are three types of types. Each time the PCI bus driver 206 finds one host controller connected to the PCI bus, it creates a functional device object (FDO) and a physical device object (PDO) data structure. The miniport driver 302, 304, 306 is a driver that handles hardware-characterized tasks. It consists of three drivers (usbuhci, usbohci, and usbehci) according to the type of host controller to control each host controller. When data values are input from various USB devices including 200, the USB bus class driver 300 is notified through the notification 307.

The USB bus class driver 300 receives an IRP (I / O Request Packet) requesting USB input data from the application layer 210 of the user area and holds it in the IRP queue. Complete the USB data value in the field. At this time, the USB bus class driver 300 completes the USB data input by calling an input / output completion request function (hereinafter referred to as IoCompleteRequest) which is one of OS functions.

4 is a block diagram illustrating an IRP processing scheme according to a preferred embodiment of the present invention.

Referring to FIG. 4, the IRP generation module is registered as the filter driver 105 in the operating system. Thereafter, when USB input data protection is required, a new keyboard IRP1 404 is generated and transferred to the lower driver through the IRP generation module registered as the filter driver 105, and the keyboard IRP1 404 transferred to the lower driver stage is It enters the IRP queue 400 of the USB bus driver 100 and is temporarily stored.

In addition to the keyboard IRP1 404 generated from the registered filter driver 105, the IRP queue 400 also transmits general IRPs generated from the application layer 210 to receive data of the USB keyboard and other USB devices. Will receive.

The filter driver 105 then cancels the IRP1 404. As a result, the IRP1 404 stored in the IRP queue 400 of the USB bus driver 100 is canceled. Accordingly, the operating system calls the cancel routine 402 of the USB bus driver 100 registered in the IRP1 404 through the filter driver 105.

In general, performing such a cancellation routine may be when the USB device is disconnected from the computer system or when the application is terminated while executing the application using data input through the USB device. However, in general, when the USB keyboard is controlled, such a cancellation routine is rarely performed. However, the forced cancellation command for protecting the input data as described above can be performed.

However, the general cancellation routine sets the state information in the IRP to canceled in response to an input data error or a call to the cancellation routine, and passes it to the filter driver without inputting any other data. You will be confirmed. However, when the current USB input data protection is required, the cancellation routine unit 402 including the random key generation module is called on the filter driver 105. The cancellation routine unit 402 generates a random key. The random key value generated in the canceled IRP is inputted, and the state information in the IRP is set as success and transmitted to the filter driver 105.

In other words, by entering a random key value for the existing cancellation IRP through the cancellation routine unit 402, converts the status information to success, and passes it to the upper driver, even if the malicious code is caught in the middle of the random value It is not known whether it is a key value or an actual keyboard input value. However, the filter driver 105 may distinguish the fake information through the fake information inserted in a specific region when checking the received IRP field.

5 is a block diagram illustrating a random key generation method in a USB bus driver according to an exemplary embodiment of the present invention.

5, when the cancellation routine 402 of the USB bus driver 100 is called from the filter driver 105, a random key value is generated within the cancellation routine 402, and the corresponding IRP1 404 is finished. As the user presses the keyboard, the keyboard data is input to perform the data input completion request. Specifically, the IRP stored in the IRP queue 400 is close to 0 bytes, but when input data is input to the IRP from the keyboard, the IRP has a constant byte capacity (for example, 8 bytes). Therefore, the cancellation routine 402 inputs a random key value generated on the received IRP, and performs state transition, so that the IRP has 8 bytes, which is the same byte capacity as that of the keyboard input.

For example, if the password to be entered when security is required is "KOREA", the data entered by the user on the actual keyboard is performed while the actual password is input, while in the cancellation routine 402. A random key is generated and randomly transmitted to the filter driver 105 along with the actual data value. That is, if one key value is stored in one IRP, the filter driver 105 receives each IRP including K, O, R, E, A, and at the same time, the IRP including other alphabetic and numeric keys. You will be delivered.

When the random key generated as described above is input to the IRP1 404, the security of the keyboard input data is required. When the input data security is required, the filter driver 105 generates the IRP1 404 to generate the USB. It passes to the bus driver 100 and calls the cancellation routine 402 for the delivered IRP1 404. In this case, when the security of the keyboard input data is required, the filter driver 105 recognizes this in the application layer when the user inputs important data through the keyboard, such as inputting a password at the time of internet banking or a specific homepage login. The IRP generation and cancellation routine 402 call is executed on the screen, and the cancellation routine 402 call and the IRP format change are performed a predetermined number of times (for example, 20 per second) when input data security is required. To 30 times).

Accordingly, the IoCompleteRequest function 408 called by the USB bus class driver 300 is a call back function 410 registered by the HID USB driver 106, the filter driver 104, and the hub driver 102, respectively. In turn, you will be notified that the IRP is complete.

Thereafter, the completed IRP1 '406 contains a randomly generated random key, and the IRP in which the random key is input is discarded by checking the IRP including the random key among the completed IRPs in the filter driver 105. The IRP including the confirmed actual keyboard input data is encrypted and transmitted to the application layer 210 or transmitted to another server through a network.

FIG. 6 is a flowchart illustrating a procedure for performing security of keyboard data in a filter drive and a USB bus driver stage according to an exemplary embodiment of the present invention.

Referring to FIG. 6, when a user inputs important data through a USB keyboard such as a user ID, an account number, and a password for a banking service using a computer, the application may input data from the keyboard. It will be recognized as a time to protect.

For example, when a user places a cursor in a password input window on a computer application screen to input a password, an application installed in the computer recognizes that the cursor is located in the password input window and recognizes it as a protection point of keyboard data.

As described above, when the protection time of the keyboard input data is recognized, the filter driver 104 is set to the keyboard data protection mode in step 600, and thereafter, a step-by-step operation for protecting the keyboard data input by the user through the USB keyboard is performed. Will perform.

Of course, if the default setting is kept in the keyboard data protection mode, it is also possible to perform security processing on all input data input from the keyboard.

Accordingly, the application drives the filter driver 105, which is an IRP generation module, in step 602, and drives a random key generation module in the cancellation routine 402. The driven filter driver 105 generates a new keyboard IRP in step 604. To the lower drive. The keyboard IRP transferred to the lower drive stage is transferred to the IRP queue 400 of the USB bus driver 100.

Thereafter, the filter driver 105 cancels the keyboard IRP transmitted to the lower driver in step 606. At this time, the operating system calls the cancel routine 402 of the USB bus driver 100 registered in the corresponding IRP.

In step 610, a random key is generated in the cancellation routine 402 of the USB bus driver 100, a random key having the same data capacity as the keyboard input data is input to the IRP, and the state information is converted into success. After that, a data input completion request is performed. In this way, the IRP with random key input through the cancellation routine and the IRP with actual keyboard data input through the conventional method respectively complete the keyboard data input through the data input completion request.

The completed IRP is transmitted to the filter driver 105, and the filter driver 105 performs a check on the IRP including the random key among the completed IRPs in step 612. In step 614, the data input to the IRP is input by the user. If the data input to the IRP is a random key by checking whether the key is input, the process proceeds to step 616 where the IRP including the random key is discarded.

In this way, if the IRP is input by the actual user through the inspection of each IRP, that is, the input data through the keyboard, the flow proceeds to step 618 to encrypt the keyboard input data and deliver it to the application layer 210 or It then sends it over the network to other servers as needed.

As described above, the present invention generates random data on the USB device stack and mixes it with the data input by the user for the security of data input from all the USB devices, and then randomly mixes the random data in the user input data. Filter the key to extract only the data entered by the user.

Meanwhile, in the detailed description of the present invention, specific embodiments have been described, but various modifications are possible without departing from the scope of the present invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be defined not only by the scope of the following claims, but also by those equivalent to the scope of the claims.

1 is a diagram illustrating a driver hierarchy for conventional USB device data;

2 is a diagram illustrating a driver hierarchy structure for USB device data security according to an embodiment of the present invention;

3 is an internal structure diagram of a USB bus driver according to an embodiment of the present invention;

4 is a block diagram showing an IRP processing scheme according to a preferred embodiment of the present invention;

5 is a block diagram showing a random key generation method in a USB bus driver according to an embodiment of the present invention;

6 is a flowchart illustrating a security procedure for USB device data according to a preferred embodiment of the present invention.

<Brief description of the major symbols in the drawings>

100: USB bus driver 104, 105: Filter driver

106: HID USB Driver 108: Keyboard HID Driver

110: Keyboard Class Driver 200: USB Keyboard

202: Root Hub 204: Host Controller

300: USB Bus Class Driver

302, 304, 306: Miniport Driver

 404, 406: IRP

Claims (10)

(a) a process of generating an input / output request packet (IRP) and transferring it to the IRP queues of the lower USB bus driver in the USB driver data protection mode; (b) invoking a cancellation routine for the IRP in the filter driver; (c) generating a random key from the cancellation routine of the USB bus driver to complete data input and conversion of state information to the IRP, and transferring the completed IRP to the filter driver; (d) process of extracting only actual keyboard input data by examining the IRPs received from the filter driver Input data security method of a USB device comprising a. The method of claim 1, The method, In the USB input data protection mode while the USB device is connected on the digital device, registering a filter driver including an input / output request packet (IRP) generation module in the operating system of the digital device; Registering an IRP generation module for generating an IRP including fake information in a format as the filter driver Input data security method of a USB device comprising a. The method of claim 1, Step (c) is, Generating a random key when a cancellation routine is called from the filter driver; Inputting the generated random key to the IRP, converting state information in the IRP from cancellation to success, and then performing the IRP completion Input data security method of a USB device comprising a. The method of claim 1, The USB input data protection mode, And a USB data protection mode by recognizing when a cursor is located in a data input window among application screens executed on the computer in the filter driver. The method of claim 1, The USB input data is, And a data input from a USB connected device including a USB keyboard, a USB mouse, a USB joystick, and a USB numeric keypad. In the USB input data protection mode, after generating an input / output request packet (IRP) and delivering it to the lower driver stage, the IRP is canceled, and when the completed IRP is received from the lower driver stage, the check is performed to perform a random key. Filter driver that discards it and encrypts it if it is actual input data to the application, When the IRP is received from the filter driver and a cancellation routine is called, a USB bus driver generating a random key and inputting the IRP, converting the status information of the IRP, and delivering the completed IRP to the filter driver Input data security device of the USB device comprising a. The method of claim 6, The USB bus driver, An IRP queue receiving and storing the IRP from the filter driver; When a cancellation routine is called from the filter driver, a random key is generated through a random key generation module, the generated random key is input to the IRP, and the state information in the IRP is converted from cancellation to success, and input / output completion Cancel routine for performing completion of the IRP inputted by the random key through a call to the request (IoCompleteRequest) function Input data security device of the USB device comprising a. The method of claim 6, The filter driver, And an IRP generation module for generating an IRP including fake information in the format. The method of claim 6, The USB input data protection mode, And a USB data protection mode by recognizing when a cursor is located in a data input window among application screens executed on the computer in the filter driver. The method of claim 6, The USB input data is, An input data security device of a USB device, characterized in that the data is input from a USB connected device including a USB keyboard, a USB mouse, a USB joystick, and a USB numeric keypad.

Images